Pexip Infinity configuration for an on-prem Lync / Skype for Business environment
This section describes the configuration required on the Pexip platform to integrate Pexip Infinity with an on-prem Lync / Skype for Business
As the Pexip Infinity Conferencing Nodes typically will reside on a private IP network for this type of Lync/SfB integration, the Conferencing Nodes will require access to a TURN server to ensure that RTP media (audio/video/presentation) can be exchanged with remote/external and federated Lync/SfB clients across firewalls/NAT. This TURN server is typically deployed outside the enterprise firewall or in a public DMZ.
Pexip Infinity is compatible with standards-based (RFC 5766) TURN servers such as Cisco VCS Expressway. TURN services are also offered by various commercial vendors, most of which will be compatible with Pexip Infinity. The Pexip Reverse Proxy and TURN Server features a built-in TURN server which can be used for this purpose. For more information, see Pexip Reverse Proxy and TURN Server.
* Note that where this documentation refers to "Lync/SfB", it represents both Microsoft Lync and Skype for Business unless explicitly stated otherwise.
The deployment process assumes that the Management Node and the Conferencing Nodes have already been configured with basic settings, such as an IP address and NTP server, and that the Conferencing Nodes have already been configured with one or more Virtual Meeting Room aliases for the SIP domain to be used, such as email@example.com.
Providing all of the Conferencing Nodes in the application pool are all deployed in the same system location e.g. Europe, no additional clustering configuration is required on the Pexip platform.
The Pexip Infinity configuration consists of the following steps, each described in more detail in the following sections:
- Assigning a server certificate to the Conferencing Nodes.
- Configuring a Lync / Skype for Business server per location.
- Configuring DNS records and DNS servers.
- Configuring the SIP TLS FQDN setting for the Conferencing Nodes.
- Configuring the Pexip Infinity domain.
- Configuring a TURN server per location (optional, but required for supporting external/federated Lync/SfB clients).
- Configuring a STUN server per location (optional, but required if the TURN server is not located outside of the enterprise firewall).
After completing the Pexip Infinity configuration, you must also perform the Lync / Skype for Business server configuration for an on-prem deployment.
When integrating Pexip Infinity with an on-prem Lync/SfB environment, every Conferencing Node must be configured with a TLS server certificate which matches their respective FQDNs (Fully Qualified Domain Name), and the Lync/SfB servers must trust this certificate. Server certificates are typically issued by a Certificate Authority (CA) within the Lync/SfB environment itself (normally this will be the CA which was used to provide the Lync/SfB servers themselves with server certificates).
For more information about creating certificate signing requests, see Certificate creation and requirements for Lync / Skype for Business integrations.
In our example deployment, any of the Conferencing Nodes may communicate with the Lync/SfB environment. Calls from Lync/SfB to Pexip Infinity are routed from the FEP to any of the Conferencing Nodes in the application pool, and outbound calls from Pexip Infinity to Lync/SfB may be initiated by any Conferencing Node. To ensure that the Lync/SfB environment trusts these Conferencing Nodes, a certificate that is trusted by the Lync/SfB servers must be assigned to every node.
We recommend that you generate and use a single SAN certificate that encompasses all of the Conferencing Nodes in the application pool.
In the certificate:
- the Subject name (commonName attribute) must be the Trusted Application Pool FQDN
- Subject Alternative Name (altNames attribute) entries must be included for every node in the pool, plus the common application pool FQDN.
Therefore, in our example, the Subject name (commonName) and SAN (altNames) sections for the certificate to be installed on every Conferencing Node would be configured as:
commonName = eu-px.example.com
altNames = eu-px01.example.com, eu-px02.example.com, eu-px03.example.com, eu-px.example.com
Assigning the certificate to Conferencing Nodes
To assign a server certificate and private key to one or more Conferencing Nodes:
- From the Management Node, go to and select .
- Copy-paste the TLS certificate and its associated Private key into the relevant text boxes, or alternatively use the links to upload the certificate and private key files.
- In the Nodes section, from the Available Nodes list, select every Conferencing Node in the application pool (eu-px01.example.com, eu-px02.example.com and eu-px03.example.com in our example), and move them into the Chosen Nodes list.
- Select Conferencing Nodes. . The certificate and private key will be pushed automatically to the selected
Uploading trusted CA certificates
If the server certificate has been issued by one or more intermediate CAs (Certificate Authorities), these intermediate certificates must be uploaded. You can upload them as a single-file bundle by going toand selecting .
See Certificates issued by intermediate CAs for more information.
To allow internal Conferencing Nodes to call out to Lync/SfB clients you must define the target Lync/SfB servers. In our example deployment, a Lync/SfB Front End pool has been deployed in Europe with the pool address eu-lyncpool.example.com.
To instruct the Conferencing Nodes in the Europe system location to use the Europe-based Lync/SfB Front End pool, you must first define the Lync/SfB Front End pool on the Management Node, and then link it to the Europe location, as follows:
Go toand select :
Complete the fields and select.
In the example above, the Europe Lync/SfB server has been defined by its pool name FQDN eu-lyncpool.example.com.
Note that the Lync/SfB server can be a Front End Server/Processor or a Director; it cannot be an Edge Server.
- To assign the new Lync/SfB server to the appropriate location, go to and select the Europe location.
In the Lync / Skype for Business server field, select the Europe Lync/SfB server from the drop-down list, and then select .
In DNS, ensure that the following records are configured:
- An A-record for each Conferencing Node. In our example this would be 3 records with host names of eu-px01, eu-px02 and eu-px03, and that they each point to individual IP address of the node.
- Another A-record per Conferencing Node. This time the host name of every record should be eu-px.example.com (the application pool name of the Conferencing Nodes), and again associate it with the IP address of each Conferencing Node. This step allows Lync/SfB to spread the traffic across all of the Conferencing Nodes.
Pexip Infinity DNS server configuration
Ensure that Pexip Infinity is configured to use DNS servers on the inside of the network ( , and then assigned to each location via ). This ensures that Pexip Infinity can resolve internal hostnames, which is mandatory for communicating with Lync/SfB on-prem.
If you omit this step and use an external DNS server instead, calls might drop after a few minutes when Pexip Infinity verifies that the remote side is still responding properly. This is because an external DNS server cannot resolve the internal hostname of the Lync/SfB FEPs.
The SIP TLS FQDN setting for each Conferencing Node must be configured to reflect its DNS FQDN.
This is done on the Management Node, by going to , choosing each node in turn and populating the SIP TLS FQDN field.
The example above shows the SIP TLS FQDN for the eu-px01 Conferencing Node, which is set to eu-px01.example.com.
For any Pexip Infinity and Lync/SfB integration, you must ensure that each Conferencing Node is configured with its respective DNS hostname as the SIP TLS FQDN. Pexip Infinity will present this as being the server name, and it must match the name on the certificate installed on the node. Each Conferencing Node must have a unique SIP TLS FQDN.
You must specify the name of the SIP domain that is routed from Lync/SfB to Pexip Infinity for this deployment. This domain is inserted into the From header in outbound calls from Pexip Infinity to Lync/SfB, and ensures that Lync/SfB can route messages back to Pexip Infinity when, for example, initiating content sharing.
You specify this by going to Pexip Infinity domain (for Lync / Skype for Business integration) setting:and configuring the
This must be set to the same SIP domain as used by the static route from Lync/SfB to Pexip Infinity, which is vc.example.com in our example (see Creating a static SIP domain route and associating this route with a trusted application).
This configuration is optional, but required for supporting external/federated Lync/SfB clients.
To allow internal Conferencing Nodes to establish two-way media connectivity with remote/external and federated Lync/SfB clients across firewalls/NAT, media may be relayed via a TURN server. In our example, the TURN server has the IP address 203.0.113.5.
To instruct the Conferencing Nodes to use the TURN server, we must first define the TURN server on the Management Node, and then link it to the Europe location, as follows:
- Go to
- Complete the fields and select
In the example above, the TURN server has been defined by its IP address and Port, in addition to the Username and Password for our TURN user (which has already been created on the TURN server).
- Assign this TURN server to the appropriate location: go to Europe location. and select the
- In the TURN server field, select the Europe TURN server from the drop-down list, and then select .
This configuration is optional, but required if you need to relay media via a TURN server with external and federated Lync/SfB clients, but the TURN server is not located outside of the enterprise firewall. In this case, you will also need to configure separate STUN servers per location. This allows a Conferencing Node to discover its public NAT address, which is essential in Lync/SfB deployments.
Configuring STUN server addresses
To add, edit or delete STUN server connection details, go to.
Note that Pexip Infinity ships with one STUN server address already configured by default: stun.l.google.com
Associating STUN server addresses with Conferencing Nodes
To associate a STUN server address with a Conferencing Node, you must configure the node's system location:
- Go to .
- Select the Conferencing Node's location.
- Select a STUN server and select .
All Conferencing Nodes in that location will use the nominated STUN server for conference calls.